W3C home > Mailing lists > Public > public-identity@w3.org > August 2011

Re: WebID and HTTPS Client Certificate Authentication

From: Dave Raggett <dsr@w3.org>
Date: Mon, 08 Aug 2011 10:35:59 +0100
Message-ID: <4E3FADFF.9060906@w3.org>
To: Henry Story <henry.story@bblfish.net>
CC: Anders Rundgren <anders.rundgren@telia.com>, "public-identity@w3.org" <public-identity@w3.org>
On 07/08/11 23:43, Henry Story wrote:
> On 7 Aug 2011, at 21:47, Dave Raggett wrote:
>> I plan to work on extending webkit and Mozilla to support this, as working code is always more compelling than just talk. However, to realize the trust models we need to discuss what is needed to support a culture of credentials that match up to real world requirements.
> what are you planning to do there?

The work on privacy friendly strong authentication and plans for further 
work are described in


The bigger challenge is to broaden the discussion for what is needed for 
online trust models.  To counter phishing, we need a means for the 
browser to verify that this website is the same as the one you set up 
your account with. That isn't too demanding, e.g. the browser could 
check that the site's public key is the same*.  Establishing trust in 
the first place is harder, and currently relies on faith in DNS in 
conjunction the bank's domain name passed to you via the letters the 
bank sent you in the post.  In other circumstances, we need a way to 
establish trust online, and the current CA system doesn't suffice.  This 
is where we need further debate about the possibilities, and an analysis 
about the various approaches that have already been tried.  This is less 
about technology and more about society.

* we also need to break free of the current user id/password mess, but I 
didn't want to go into that here.

  Dave Raggett<dsr@w3.org>  http://www.w3.org/People/Raggett
Received on Monday, 8 August 2011 09:36:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:00:47 UTC